import { Event } from "../../../../base/common/event.js"; import { IAuthenticationChallenge, IAuthorizationProtectedResourceMetadata, IAuthorizationServerMetadata } from "../../../../base/common/oauth.js"; import { URI } from "../../../../base/common/uri.js"; /** * Use this if you don't want the onDidChangeSessions event to fire in the extension host */ export declare const INTERNAL_AUTH_PROVIDER_PREFIX = "__"; export interface AuthenticationSessionAccount { label: string; id: string; } export interface AuthenticationSession { id: string; accessToken: string; account: AuthenticationSessionAccount; scopes: ReadonlyArray; idToken?: string; } export interface AuthenticationSessionsChangeEvent { added: ReadonlyArray | undefined; removed: ReadonlyArray | undefined; changed: ReadonlyArray | undefined; } export interface AuthenticationProviderInformation { id: string; label: string; authorizationServerGlobs?: ReadonlyArray; } /** * Options for creating an authentication session via the service. */ export interface IAuthenticationCreateSessionOptions { activateImmediate?: boolean; /** * The account that is being asked about. If this is passed in, the provider should * attempt to return the sessions that are only related to this account. */ account?: AuthenticationSessionAccount; /** * The authorization server URI to use for this creation request. If passed in, first we validate that * the provider can use this authorization server, then it is passed down to the auth provider. */ authorizationServer?: URI; /** * Allows the authentication provider to take in additional parameters. * It is up to the provider to define what these parameters are and handle them. * This is useful for passing in additional information that is specific to the provider * and not part of the standard authentication flow. */ [key: string]: any; } export interface IAuthenticationWwwAuthenticateRequest { /** * The raw WWW-Authenticate header value that triggered this challenge. * This will be parsed by the authentication provider to extract the necessary * challenge information. */ readonly wwwAuthenticate: string; /** * Optional scopes for the session. If not provided, the authentication provider * may use default scopes or extract them from the challenge. */ readonly fallbackScopes?: readonly string[]; } export declare function isAuthenticationWwwAuthenticateRequest(obj: unknown): obj is IAuthenticationWwwAuthenticateRequest; /** * Represents constraints for authentication, including challenges and optional scopes. * This is used when creating or retrieving sessions that must satisfy specific authentication * requirements from WWW-Authenticate headers. */ export interface IAuthenticationConstraint { /** * Array of authentication challenges parsed from WWW-Authenticate headers. */ readonly challenges: readonly IAuthenticationChallenge[]; /** * Optional scopes for the session. If not provided, the authentication provider * may extract scopes from the challenges or use default scopes. */ readonly fallbackScopes?: readonly string[]; } /** * Options for getting authentication sessions via the service. */ export interface IAuthenticationGetSessionsOptions { /** * The account that is being asked about. If this is passed in, the provider should * attempt to return the sessions that are only related to this account. */ account?: AuthenticationSessionAccount; /** * The authorization server URI to use for this request. If passed in, first we validate that * the provider can use this authorization server, then it is passed down to the auth provider. */ authorizationServer?: URI; /** * Allows the authentication provider to take in additional parameters. * It is up to the provider to define what these parameters are and handle them. * This is useful for passing in additional information that is specific to the provider * and not part of the standard authentication flow. */ [key: string]: any; } export interface AllowedExtension { id: string; name: string; /** * If true or undefined, the extension is allowed to use the account * If false, the extension is not allowed to use the account * TODO: undefined shouldn't be a valid value, but it is for now */ allowed?: boolean; lastUsed?: number; trusted?: boolean; } export interface IAuthenticationProviderHostDelegate { /** Priority for this delegate, delegates are tested in descending priority order */ readonly priority: number; create(authorizationServer: URI, serverMetadata: IAuthorizationServerMetadata, resource: IAuthorizationProtectedResourceMetadata | undefined): Promise; } export declare function isAuthenticationSession(thing: unknown): thing is AuthenticationSession; /** * Options passed to the authentication provider when asking for sessions. */ export interface IAuthenticationProviderSessionOptions { /** * The account that is being asked about. If this is passed in, the provider should * attempt to return the sessions that are only related to this account. */ account?: AuthenticationSessionAccount; /** * The authorization server that is being asked about. If this is passed in, the provider should * attempt to return sessions that are only related to this authorization server. */ authorizationServer?: URI; /** * Allows the authentication provider to take in additional parameters. * It is up to the provider to define what these parameters are and handle them. * This is useful for passing in additional information that is specific to the provider * and not part of the standard authentication flow. */ [key: string]: any; } /** * Represents an authentication provider. */ export interface IAuthenticationProvider { /** * The unique identifier of the authentication provider. */ readonly id: string; /** * The display label of the authentication provider. */ readonly label: string; /** * The resource server URI that this provider is responsible for, if any. * TODO@TylerLeonhardt: Rather than this being added to the provider, it should be passed in to * getSessions/createSession/etc... this way we can have providers that handle multiple resource servers. */ readonly resourceServer?: URI; /** * The resolved authorization servers. These can still contain globs, but should be concrete URIs */ readonly authorizationServers?: ReadonlyArray; /** * Indicates whether the authentication provider supports multiple accounts. */ readonly supportsMultipleAccounts: boolean; /** * Optional function to provide a custom confirmation message for authentication prompts. * If not implemented, the default confirmation messages will be used. * @param extensionName - The name of the extension requesting authentication. * @param recreatingSession - Whether this is recreating an existing session. * @returns A custom confirmation message or undefined to use the default message. */ readonly confirmation?: (extensionName: string, recreatingSession: boolean) => string | undefined; /** * An {@link Event} which fires when the array of sessions has changed, or data * within a session has changed. */ readonly onDidChangeSessions: Event; /** * Retrieves a list of authentication sessions. * @param scopes - An optional list of scopes. If provided, the sessions returned should match these permissions, otherwise all sessions should be returned. * @param options - Additional options for getting sessions. * @returns A promise that resolves to an array of authentication sessions. */ getSessions(scopes: string[] | undefined, options: IAuthenticationProviderSessionOptions): Promise; /** * Prompts the user to log in. * If login is successful, the `onDidChangeSessions` event should be fired. * If login fails, a rejected promise should be returned. * If the provider does not support multiple accounts, this method should not be called if there is already an existing session matching the provided scopes. * @param scopes - A list of scopes that the new session should be created with. * @param options - Additional options for creating the session. * @returns A promise that resolves to an authentication session. */ createSession(scopes: string[], options: IAuthenticationProviderSessionOptions): Promise; /** * Get existing sessions that match the given authentication constraints. * * @param constraint The authentication constraint containing challenges and optional scopes * @param options Options for the session request * @returns A thenable that resolves to an array of existing authentication sessions */ getSessionsFromChallenges?(constraint: IAuthenticationConstraint, options: IAuthenticationProviderSessionOptions): Promise; /** * Create a new session based on authentication constraints. * This is called when no existing session matches the constraint requirements. * * @param constraint The authentication constraint containing challenges and optional scopes * @param options Options for the session creation * @returns A thenable that resolves to a new authentication session */ createSessionFromChallenges?(constraint: IAuthenticationConstraint, options: IAuthenticationProviderSessionOptions): Promise; /** * Removes the session corresponding to the specified session ID. * If the removal is successful, the `onDidChangeSessions` event should be fired. * If a session cannot be removed, the provider should reject with an error message. * @param sessionId - The ID of the session to remove. */ removeSession(sessionId: string): Promise; }